Sunday, February 9, 2014

[cybersecurityauditing] 2014’s Cyber Threat Predictions

1. BYODmakes two of the prolific lists for cyber threats released for the year ahead. Grouped withCloudservices, this new technological development poses more and more of a risk to information security.

Experts recommend:If you can’t eliminate BYOD or Cloud, make sure to implement them early, correctly and where possible with clear boundaries to distinguish between personal and professional data.

2. Reputational damageis largely dependent on how efficient your incident-response plan is. Time and time again we hear that companies are more than likely to have already suffered an attack and not even know it. Not a day goes by without a hacking story surfacing in the news. Improving the security defences are of course recommended but for companies that want to stay ahead there is some more advice:

Experts recommend:Once the damage is done, a good response time can make the difference between a company’s survival and its failure. Plus it’s not only the IT department that must take all the heat. Correlated efforts throughout the entire organization are necessary to mitigate the issues. Just look at the#RBSglitchor theBA promoted tweetincidents to see the damage that can be done.

3. Privacy and regulationmainly on the issue of data management. Companies storing and processing third party data is common practice, but under sub-contractors the safety of this data is not entirely clear until a breach occurs. Sadly, their security standards may not always be at the same level as yours.

Experts recommend:A closer inspection of the subcontractors and clear guidelines on responsibility, obligations and legal roles in case of a breach.

4. Cybercrime – This is quite a broad spectrum. Fast tech developments, isolated and under-invested IT departments, increased online hacktivism and regulatory frameworks that simply do not update fast enough, provide the perfect recipe for cybercrime.

Experts recommend:Rapid progress does not only occur in the criminal world. The past 12 months have showed a great increase in sophisticated tools, cyber forensics, prevention mechanisms and improvements in response-protocols, which looks promising in terms of preventing and protecting against online attacks. So use these tools and evaluate and update your systems and defences to make the best use of these technological developments.

5. The IoT (Internet of Things) is becoming quite visible in the media lately. Especially sinceSymantec reporteda new worm targeting specifically IoT. The Internet of Things is a concept which assigns physical objects virtual representations that would enable interaction without human interference. The threats on PCs have plenty of negative implications that can affect life, work, play and finances, but the IoT takes it a step further and connects the virtual world with the real one.

Experts recommend:Future concerns regarding the protection of these devices, and more research allocated into the development of IoT. As attackers test against different architectures, proving the intent for more targeted attacks, the physical harm potential looms closer.

6. Malicious insider – predictions say that for 2014, companies should expect a significant number of data breaches to come from inside. Such attacks can go undetected and if discovered will rarely be heard of outside the organisation

Experts recommend:Naming and shaming the attackers may be a good deterrent, but also knowing the data breach regulations and accountability rules is strongly recommended so that organisations that have fallen prey to intellectual theft property know how to proceed.

7. Corporate auditing committee results can be costly if you haven’t carried out a proper risk assessment and implemented a cyber policy. This is because these committees not only consider the financial welfare of the organisation, but the connection between cyber security standards and the financial welfare of the company. The legal and reputational implications arising from that can involve protection against lawsuits questioning the level of cyber security that can be deemed “commercially reasonable”.

Expert recommend:That the corporate board auditing committees need to decide who determines what “reasonable” cyber security standards is, who enforces it and what response procedure should be implemented.

Most of the forecasts for 2014 are not new. They’ve been reported in the media so much over the past year that cyber risks are not only keeping the InfoSec community up at night, but have now entered into the sphere of general public concern. What these predictions are however, are an exercise in learning from past mistakes, and considering the pace technology is developing, individuals and organizations need to learn fast.